An application program is a computer program, or group of programs, that configures a computer to perform functions directly for a user of the application. This is in contrast to system programs, which typically provide one or more software program infrastructure layers, such as an operating system, utilities and related components that manage and integrate a computer's capabilities but typically do not perform tasks directly for the user. In general, the system software serves the application, which in turn, serves the user.
A hosted application is an application that runs on a server that multiple user devices have shared access to over a network. A Browser may act as an interface between a hosted application and a user device, for example. Hosted applications may include client and server components in which a client that runs directly on a user device communicates over a network with a hosted component that runs on a server. A downloadable application, sometimes referred to as an “App,” for example, may act as client interface between a hosted application and a user device. Hosted applications may run on dedicated servers owned and operated by an individual organization. Alternatively, hosted applications may run on a so called cloud computing platform in which servers are virtualized and hardware and software compute resources are shared by other hosted applications.
Enterprises have been trained to think of security in terms of a physical barrier at the perimeter of the network. This model worked well as recently as five years ago when all applications were deployed in enterprise controlled data centers and an IT department controlled not only the application, but the server and networking infrastructures, as well as the data center real estate.
Today, enterprises have a cost-effective option available in the form of public clouds, which can be utilized in addition to the enterprise datacenter strategy. Public cloud deployments can enable enterprises to enjoy reduction in operational (including manpower) and capital expenditures. Some enterprises are therefore choosing to maintain hybrid environments where applications are deployed in the most practical location, be it an enterprise-controlled data center, infrastructure-as-a-service (IaaS) platform, or another similar point of presence.
In many cases, hosted applications act as a utility to enterprise employees to carry out their day-to-day activities. It is important to make sure that only users that are allowed access to a particular application can actually access it, and more importantly, that no external bad actors can access these hosted applications. To achieve this, enterprises have traditionally deployed a multi-layer security infrastructure.
A traditional multi-layer security infrastructure can pose a number of practical challenges. First, for example, each security feature presents a technical challenge to configure and manage, with the enterprises having to make a tradeoff between the level of security that it can deliver on the one hand, and the skillset and operational expertise required to configure and maintain the security on the other hand. This tradeoff may result in an enterprise choosing to deliver a less-than-ideal user experience. For example, users may only be allowed access to certain applications from a branch office location or users may only be allowed access to certain applications from certified devices.
In the past, some enterprises have concluded that the safest approach is to house all hosted applications in a single location. Nevertheless, for business reasons enterprises often house hosted applications in multiple locations. One common security model used by enterprises that house hosted applications at multiple locations involves a “moat” approach in which the enterprise builds a full-service security moat around each physical location housing hosted applications so that each location is protected independently, leading to higher operational and capital expenditures. Another common security model involves a “port of entry” approach in which the enterprise designates a physical location as the entry point for all application traffic. Traffic destined for other physical locations is routed through an overlay, enterprise-managed network (typically built using private links, e.g., IPSec tunnels, etc.), leading to higher end-to-end round-trip times and, consequently, degraded performance. Some enterprises may also deploy a combination of the moat and port of entry approaches.